cybergate | 93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc

Analysis

max time kernel
151s
max time network
107s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe
Size

1007KB
MD5

aecd043c13b2581b4604fdde90f87fae
SHA1

a73ceb9f653903fff8fc01c9a8a6ef15e1cbee21
SHA256

93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc
SHA512

8aeb5988fe2a1ae30b1e891193fe142f3a164d05426bb1445821cc088bf73fb10b718a25fa69bf4135de86c0a69237bd6a3531e9603e28272e3d4d1981c46cae
SSDEEP

24576:Bt245+7ErHtRJcDwNHa5m8RnYTUtzFtRR+OSgLphaZ3etWrV:d1TJcDwNOmH+bRC8hm3vV

Score

10^/10

cybergate maymacro persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

MayMacro

curtis1145.no-ip.org:1145

Mutex

P1RA63K1N04P7J

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
System32
install_file
process
install_flag
true
keylogger_enable_ftp
false
message_box_caption
The application failed to initialize properly (0xc000007b). Click on OK to terminate the application.
message_box_title
Adobe Reader Error
password
omolabi

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

UWBCE.cmdUWBCE.cmd

pid process

272 UWBCE.cmd
1224 UWBCE.cmd

pid	process
272	UWBCE.cmd
1224	UWBCE.cmd

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1368-94-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1368-103-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2024-108-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2024-111-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1368-113-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1368-119-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1712-124-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1712-126-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1712-127-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exeUWBCE.cmd

pid	process
2036	93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe
2036	93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe
2036	93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe
2036	93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe
272	UWBCE.cmd

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

UWBCE.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	UWBCE.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\KGZNY\\UWBCE.cmd C:\\Users\\Admin\\AppData\\Roaming\\KGZNY\\BDGHM-~1"	UWBCE.cmd

Drops file in System32 directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Windows\SysWOW64\System32\process	RegSvcs.exe
File opened for modification	C:\Windows\SysWOW64\System32\process	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

UWBCE.cmd

description pid process target process

PID 1224 set thread context of 1368 1224 UWBCE.cmd RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

UWBCE.cmdRegSvcs.exe

pid process

1224 UWBCE.cmd
1368 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

1712 RegSvcs.exe

description	pid	process	target process
PID 1224 set thread context of 1368	1224	UWBCE.cmd	RegSvcs.exe

pid	process
1224	UWBCE.cmd
1368	RegSvcs.exe

pid	process
1712	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exeRegSvcs.exe

description	pid	process
Token: SeBackupPrivilege	2024	explorer.exe
Token: SeRestorePrivilege	2024	explorer.exe
Token: SeBackupPrivilege	1712	RegSvcs.exe
Token: SeRestorePrivilege	1712	RegSvcs.exe
Token: SeDebugPrivilege	1712	RegSvcs.exe
Token: SeDebugPrivilege	1712	RegSvcs.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RegSvcs.exe

pid process

1368 RegSvcs.exe

pid	process
1368	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exeUWBCE.cmdUWBCE.cmdRegSvcs.exe

description	pid	process	target process
PID 2036 wrote to memory of 272	2036	93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe	UWBCE.cmd
PID 2036 wrote to memory of 272	2036	93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe	UWBCE.cmd
PID 2036 wrote to memory of 272	2036	93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe	UWBCE.cmd
PID 2036 wrote to memory of 272	2036	93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe	UWBCE.cmd
PID 2036 wrote to memory of 272	2036	93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe	UWBCE.cmd
PID 2036 wrote to memory of 272	2036	93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe	UWBCE.cmd
PID 2036 wrote to memory of 272	2036	93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe	UWBCE.cmd
PID 272 wrote to memory of 1224	272	UWBCE.cmd	UWBCE.cmd
PID 272 wrote to memory of 1224	272	UWBCE.cmd	UWBCE.cmd
PID 272 wrote to memory of 1224	272	UWBCE.cmd	UWBCE.cmd
PID 272 wrote to memory of 1224	272	UWBCE.cmd	UWBCE.cmd
PID 272 wrote to memory of 1224	272	UWBCE.cmd	UWBCE.cmd
PID 272 wrote to memory of 1224	272	UWBCE.cmd	UWBCE.cmd
PID 272 wrote to memory of 1224	272	UWBCE.cmd	UWBCE.cmd
PID 1224 wrote to memory of 960	1224	UWBCE.cmd	cmd.exe
PID 1224 wrote to memory of 960	1224	UWBCE.cmd	cmd.exe
PID 1224 wrote to memory of 960	1224	UWBCE.cmd	cmd.exe
PID 1224 wrote to memory of 960	1224	UWBCE.cmd	cmd.exe
PID 1224 wrote to memory of 960	1224	UWBCE.cmd	cmd.exe
PID 1224 wrote to memory of 960	1224	UWBCE.cmd	cmd.exe
PID 1224 wrote to memory of 960	1224	UWBCE.cmd	cmd.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1224 wrote to memory of 1368	1224	UWBCE.cmd	RegSvcs.exe
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE
PID 1368 wrote to memory of 1212	1368	RegSvcs.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe
"C:\Users\Admin\AppData\Local\Temp\93328a4aa25a41f35e203daebefa4f5e7b4eb33e0c3ec65d112c18c3ce1d15cc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd
"C:\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd" "BDGHM-YSR"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272

C:\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd
C:\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd C:\Users\Admin\AppData\Roaming\KGZNY\YZYJB
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Start C:\Users\Admin\AppData\Local\Temp\err0cx.exe
5⤵
PID:960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
6⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
238f5039dbb3c08a51a8a13b47649e43

SHA1
afa98c07bbc8b0c875dee332f6a6943313f434b4

SHA256
bfe709bb060250cf997846525a65caa955a7757a9b34ed21b396fb8abbf78d0b

SHA512
bdda5aa4e508ef30a8626499e1811377a43619422c206d9663b7a54229d800f8bb548eeeae8b66ded63f73fa4b096ceb55dbe5f580fb0090936fc5e823313b89

Download Submit
C:\Users\Admin\AppData\Roaming\KGZNY\BDGHM-YSR

Filesize
5KB

MD5
a5869a817982cdeb4d0673514a2dd798

SHA1
e38ec6330dd340e656946db2c4af02f93bceee5d

SHA256
fb1abbcbd489b83dc0f7564d713c3362daa28c02ae1e643df7a8f82e6bb20ef3

SHA512
cb217d53dddcfbfe3722a025b2aad28c6d1f76bb431e2b388e8620f2bf4ff4f0e0f560723ad97d063d9314363039cf9e46802e5759cd8d831b511ea055bc2848

Download Submit
C:\Users\Admin\AppData\Roaming\KGZNY\IUXSK.MRZ

Filesize
236KB

MD5
41b16d19b4354eb477fc86c232e91ce7

SHA1
776dba32f6b09d7ebd7484e6fac738482ffd3cdf

SHA256
ae6994c77a96eb0849e5dc0c8ba65755b5e38ca2c71e9ade530bb5d85558910e

SHA512
e0c62309573d8b6b6fef4bcf7e28bc9d0cf321e6645b3e13ff5b359683d6752b06d372a68eae6535e17389d171373e4de88fd4ee9b550aea997a0b807f6a0c9a

Download Submit
C:\Users\Admin\AppData\Roaming\KGZNY\OFKOM.BOS

Filesize
290KB

MD5
cf663a6978cfd3b26b717f9703cc3f1f

SHA1
126238976d2be8484c4a36b67267e01a50b8217d

SHA256
c7b86d01102590d6b34fd5d3baf64e34258b1d8e0e7dc1ec288c2d5ad808c80f

SHA512
94aab3d7dbd3bc735eb86d75920f08c6c5917f82841689bcb82044310b487c428ebbc8febd58bc1b81b2f6b397b969b9afdd620b5fcf5d4ee7fecc326c53bac3

Download Submit
C:\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\KGZNY\YMQGIX

Filesize
32KB

MD5
fbc0b5d2f40b268ac7addcf78122525a

SHA1
30df1420226005ca15039b719b72e72d99c3abd1

SHA256
651b8aeedd164bd19183c4a8c1710b613b713ac036154241940fb5a268a3e9b6

SHA512
cc67aa6addd4827c4589869d696fdac71206fe154c4aec37da027f9233c7603d4c45bd4373982d3bd62c33970d83504b70113bdfba0b210762d949e14eb55ff7

Download Submit
C:\Users\Admin\AppData\Roaming\KGZNY\YZYJB

Filesize
118KB

MD5
c346f5cd7684d742e218dc717b47c027

SHA1
c1486531db25d3c7f86e6a0031342885bd8580b5

SHA256
f4277a31ceba382ca8de4d8771e9d12e67dac07c421edbb9dc38be4d843bcb63

SHA512
90548e009e967c0151b3330c5070352a5de2e227d61a0695044ebaddad492d2a95a05fbeddb7155b959320ffbfbb0866f091348f8e7927a5810aa8ec2344edaf

Download Submit
C:\Windows\SysWOW64\System32\process

Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\KGZNY\UWBCE.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/272-59-0x0000000000000000-mapping.dmp

Download
memory/960-71-0x0000000000000000-mapping.dmp

Download
memory/1212-97-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1224-67-0x0000000000000000-mapping.dmp

Download
memory/1368-81-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-125-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-84-0x000000000040E1A8-mapping.dmp

Download
memory/1368-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-85-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-87-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-89-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-91-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-92-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-94-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1368-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-119-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1368-113-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1368-103-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1368-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1712-117-0x0000000000000000-mapping.dmp

Download
memory/1712-124-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1712-126-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1712-127-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2024-108-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2024-111-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2024-102-0x0000000074391000-0x0000000074393000-memory.dmp

Filesize
8KB

Download
memory/2024-100-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download